Revocation of digital certificates in a public-key infrastructure is disclosed, particularly in the case when a certificate might need to be revoked prior to its expirations. For example, if an employee was terminated or switched roles, his current certificate should no longer be valid. Accordingly, novel methods, components and systems are presented for addressing this problem. A solution set forth herein is based on the construction of grounded dense hash trees. In addition, the grounded dense hash tree approach also provides a time-communication tradeoff compared to the basic chain-based version of NOVOMODO, and this tradeoff yields a direct improvement in computation time in practical situations.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method comprising: generating, using an electronic computing device, certificate data having validity and revocation targets, the validity target being a value of a root of a grounded dense hash tree; and issuing a certificate with the certificate data.
2. The method defined in claim 1 wherein the certificate data further includes one or more of a group consisting of: a public key, a serial number, a string to serve as an identity of an owner of the certificate, an issue date, and an expiration date.
3. The method defined in claim 1 wherein the grounded dense hash tree includes a bottom row of leaves augmented with hash chains.
4. The method defined in claim 1 wherein the grounded hash tree comprises a balanced binary tree on top of a bottom level of vertices, wherein randomly chosen values are assigned to the bottom level of vertices, and a value generated as a result of a one-way function for each vertex in a layer on top of the bottom level of vertices.
5. The method defined in claim 1 wherein the certificate further comprises a signature of a certificate authority on the certificate data having the validity and revocation targets.
6. The method defined in claim 1 further comprising updating validity of the certificate periodically, including issuing a new value for the revocation target.
7. An article of manufacture having one or more non-transitory computer readable storage media storing instructions thereon which, when executed by a system, cause the system to perform a method comprising: constructing certificate data having validity and revocation targets, the validity target being a value of a root of a grounded dense hash tree; and issuing a certificate with the certificate data.
8. The article of manufacture defined in claim 7 wherein the certificate data further includes one or more of a group consisting of: a public key, a serial number, a string to serve as an identity of an owner of the certificate, an issue date, and an expiration date.
9. The article of manufacture defined in claim 7 wherein the grounded dense hash tree includes a bottom row of leaves augmented with hash chains.
10. The article of manufacture defined in claim 7 wherein the grounded dense hash tree comprises a balanced binary tree on top of a bottom level of vertices, wherein randomly chosen values are assigned to the bottom level of vertices, and a value generated as a result of a one-way function for each vertex in a layer on top of the bottom level of vertices.
11. The article of manufacture defined in claim 7 wherein the certificate further comprises a signature of a certificate authority on the certificate data having the validity and revocation targets.
12. The article of manufacture defined in claim 7 further comprising updating validity of the certificate periodically, including issuing a new value for the revocation target.
13. An apparatus comprising: an external network interface; a memory; and a processor coupled to the external network interface and the memory, wherein the processor issues a certificate having certificate data with validity and revocation targets, wherein the validity target is a value of a root of a grounded dense hash tree.
14. An apparatus comprising: means for generating certificate data having validity and revocation targets, the validity target being a value of a root of a grounded dense hash tree; and means for issuing a certificate with the certificate data.
15. A method comprising: accessing a proof of validity for a plurality of certificates; and determining, using an electronic computing device, the validity of multiple certificates of the plurality of certificates using a single grounded dense hash tree.
16. An apparatus comprising: an external network interface through which a request for validation status information for a certificate at a specific interval is made; a memory; and a processor coupled to the external network interface and the memory, wherein the processor accesses a proof of validity for a plurality of certificates and determines the validity of multiple certificates of the plurality of certificates using a single grounded dense hash tree.
17. A method comprising: determining whether a plurality of certificates are valid using a single grounded dense hash tree; and handling, using an electronic computing device, a revocation proof via a single digital signature amortized over a plurality of validity proofs.
18. An apparatus comprising: an external network interface through which a request for validation status information for a certificate at a specific interval is made; a memory; and a processor coupled to the external network interface and the memory, wherein the processor handles a validity proof using a single grounded dense hash tree and a revocation proof via a digital signature.
19. A method comprising: accessing a proof of validity for a certificate; and determining, using an electronic computing device, the validity of the certificate using a grounded dense hash tree.
20. An apparatus comprising: an external network interface through which a request for validation status information for a certificate at a specific interval is made; a memory; and a processor coupled to the external network interface and the memory, wherein the processor accesses a proof of validity for a certificate and determines the validity of the certificate using a grounded dense hash tree.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
September 9, 2004
November 23, 2010
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.